Google fighting back against session hijackers: stolen cookies to be worthless

Cybercriminals have ways to hijack Google or other user sessions using stolen cookies or tokens, bypassing passwords or MFA. However, their efforts will soon be fruitless as Google is developing a new Chrome feature that binds cookies to a single device.

Cybernews has already highlighted the present dangers associated with cookies, as they can be easily stolen or generated to then bypass authentication methods like passwords and multi-factor authentication (MFA).

All cookies are vulnerable, and they’re all it takes to compromise Google or other accounts, Trevor Hilligoss, former FBI digital crime expert and current Vice President of SpyCloud Labs, has warned. Infostealers and other malware already integrated functionality for stealing or generating cookies.

“Many users across the web are victimized by cookie theft malware that gives attackers access to their web accounts. Operators of Malware-as-a-Service (MaaS) frequently use social engineering to spread cookie theft malware. These operators even convince users to bypass multiple warnings in order to land the malware on their device,” Google explained in a recent blog post.

“The malware then typically exfiltrates all authentication cookies from browsers on the device to remote servers, enabling the attackers to curate and sell the compromised accounts. Cookie theft like this happens after login, so it bypasses two-factor authentication and any other login-time reputation checks.”

Google is working on a solution that will send cybercriminals back to the drawing board.

The new Chrome feature, called Device Bound Session Credentials (DBSC), will use cryptography to bind a cookie to a single device.

How will DBSC work?

Cookies are fundamental to the modern web as they make the online experience easier by saving browsing information so that sites can keep users signed in and remember site preferences. Due to their powerful utility, cookies are also a lucrative target for attackers.

DBSC aims to reduce account hijacking caused by cookie theft. Instead of a simple cookie, when you log into a website, Chrome with DBSC will create a new encrypted cookie. It will use a secret key generated by the device’s Trusted Platform Module (TPM), which is a specialized hardware security chip on the user's device.

Web servers will be able to associate sessions with public keys as a replacement for current cookies and verify that the user possesses the secret private key.

“By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise-managed devices,” Google said.

So far, the new feature is a prototype, and Google is experimenting “to protect some Google Account users running Chrome Beta.”

Google hopes to have an origin trial of DBSC in Chrome by the end of 2024 so that users can turn on the feature to get access to early functionality. Chrome will initially support DBSC for roughly half of desktop users based on current hardware capabilities, as TPMs for key protection are becoming more commonplace and are required for Windows 11. However, Google is also looking at supporting software keys for all users to avoid segmentation.

Many interested parties

“Many server providers, identity providers such as Okta, and browsers such as Microsoft Edge have expressed interest in DBSC as they want to secure their users against cookie theft. We are engaging with all interested parties to make sure we can present a standard that works for different kinds of websites in a privacy-preserving way,” Google said.

DBSC wouldn’t leak any other meaningful information. Google promises DBSC will be aligned with the phase-out of third-party cookies in Chrome to prevent it from becoming a new tracking vector.

“If the user completely opts out of cookies, third-party cookies, or cookies for a specific site, this will disable DBSC in those scenarios as well,” Google said in a blog post.

More from Cybernews:

WiFi WPS vulnerability: disable it, or else

Series of cyberattacks hit rehabilitation hospitals

US federal employee data leaked, claimed by hacker trio

HALO hacked, private data stolen

YouTube approved 48 out of 48 disinformation ads about elections in India

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked